Cleaning data out of a text file?

I get the same result with wch1zpink’s script, which I believe arises from an inconsistent number of spaces before the IP address in the text in post 19. For example:

set lineOne to "[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Wednesday, September 22, 2021 23:33:56"
set theResult to do shell script "echo " & quoted form of lineOne & " | cut -d' ' -f7"
--> 95.217.31.46,

set lineTwo to "[DoS Attack: Xmas Tress Scan] from source: 119.90.42.87, port 52921, Wednesday, September 22, 2021 23:21:25"
set theResult to do shell script "echo " & quoted form of lineTwo & " | cut -d' ' -f7"
--> source:

The problem is masked in part by the uniq command. Also, it appears that the text in post 1 has a consistent number of spaces before the IP address, which may explain the differing results.

This revision should address the issue

property stripText : " | cut -d' ' -f7 | tr -d ',' | egrep -v 'source' |  sort -n | uniq"

on open of theFiles -- Handles single or multiple dropped files
	repeat with aFile in theFiles
		tell application "Finder" to set sourceFilePath to container of aFile as alias
		set cleanedText to do shell script "cat " & ¬
			quoted form of POSIX path of aFile & stripText
		do shell script "echo " & quoted form of cleanedText & " >> " & ¬
			quoted form of POSIX path of sourceFilePath & "Cleaned_IPs.txt"
		do shell script "sort -n | uniq " & quoted form of ¬
			POSIX path of sourceFilePath & "Cleaned_IPs.txt" & ¬
			" | pbcopy -pboard ruler ; pbpaste -pboard ruler > " & ¬
			quoted form of POSIX path of sourceFilePath & "Cleaned_IPs.txt"
	end repeat
end open

I only have a passing familiarity with regex and no experience with its use with ASObjC, and I thought writing a script utilizing these might be a good learning experience. The timing test result was 65 milliseconds, which is only respectable, but the script should be reliable. The basic ASObjC regex code was from Shane’s book.

use framework "Foundation"
use scripting additions

on open theDroppedItems
	set theFile to POSIX path of item 1 of theDroppedItems
	set theIPFile to getFileName(theFile)
	set theText to (current application's NSString's stringWithContentsOfFile:theFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
	set theIPData to getIPData(theText)
	(current application's NSString's stringWithString:theIPData)'s writeToFile:theIPFile atomically:true encoding:(current application's NSUTF8StringEncoding) |error|:(missing value)
end open

on getIPData(theText)
	set regExPattern to "(\\d{1,3}\\.){3}\\d{1,3}"
	set theRegEx to current application's NSRegularExpression's regularExpressionWithPattern:regExPattern options:0 |error|:(missing value)
	set regExMatches to theRegEx's matchesInString:theText options:0 range:{location:0, |length|:theText's |length|()}
	
	set ipList to {}
	repeat with anItem in regExMatches
		set end of ipList to (theText's substringWithRange:(anItem's range())) as text
	end repeat
	
	set ipSet to current application's NSOrderedSet's orderedSetWithArray:ipList
	set ipSortedArray to ipSet's array()'s sortedArrayUsingSelector:"localizedStandardCompare:"
	
	return ((ipSortedArray's componentsJoinedByString:linefeed) as text)
end getIPData

on getFileName(theFile)
	set theFile to current application's NSString's stringWithString:theFile
	set fileBase to theFile's stringByDeletingPathExtension()
	set fileExtension to theFile's pathExtension()
	return ((fileBase's stringByAppendingString:"_IP")'s stringByAppendingPathExtension:fileExtension)
end getFileName

It does indeed! Thanks.

Yep that works nicely as well :slight_smile:

Revised:

property stripText : " | cut -d' ' -f7 | tr -d ',' | egrep -v 'source'"
property logFileName : "Logged IPs.txt"

on open of theFiles -- Handles single or multiple dropped files
	set oldClipboard to the clipboard
	repeat with aFile in theFiles
		tell application "Finder" to set sourceFilePath to container of aFile as alias
		set cleanedText to do shell script "cat " & ¬
			quoted form of POSIX path of aFile & stripText
		do shell script "echo -n " & quoted form of cleanedText & " >> " & ¬
			quoted form of POSIX path of sourceFilePath & quoted form of logFileName
	end repeat
	set AppleScript's text item delimiters to linefeed
	set theContentWords to words of ¬
		(read POSIX path of sourceFilePath & logFileName) as text
	set the clipboard to theContentWords
	do shell script "pbpaste | sort -n | uniq  > " & ¬
		quoted form of POSIX path of sourceFilePath & quoted form of logFileName
	set the clipboard to oldClipboard
end open

Sorry for the delay in responding, I’ve been away on holiday. Just tried this put and it works perfectly.

As per previous post, I’ve been on holiday. Just tried this out on:

[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 23:54:51
[DoS Attack: SYN/ACK Scan] from source: 213.5.229.18, port 3306, Saturday, September 25, 2021 23:14:09
[DoS Attack: SYN/ACK Scan] from source: 23.234.229.19, port 80, Saturday, September 25, 2021 23:06:51
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 23:04:37
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 23:04:35
[DoS Attack: SYN/ACK Scan] from source: 35.186.220.63, port 80, Saturday, September 25, 2021 22:48:11
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 22:40:32
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 22:04:26
[DoS Attack: SYN/ACK Scan] from source: 104.82.149.182, port 443, Saturday, September 25, 2021 21:31:44
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 21:04:35
[DoS Attack: SYN/ACK Scan] from source: 213.186.33.2, port 443, Saturday, September 25, 2021 21:03:42
[DoS Attack: RST Scan] from source: 177.234.152.194, port 7172, Saturday, September 25, 2021 20:40:06
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 20:37:54
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 20:32:18
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 20:21:40
[DoS Attack: TCP/UDP Chargen] from source: 185.94.111.1, port 39702, Saturday, September 25, 2021 20:13:36
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 20:02:23
[DoS Attack: SYN/ACK Scan] from source: 198.23.200.243, port 80, Saturday, September 25, 2021 19:55:25
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 19:54:22
[DoS Attack: SYN/ACK Scan] from source: 23.234.229.19, port 80, Saturday, September 25, 2021 19:22:39
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 19:13:39
[DoS Attack: SYN/ACK Scan] from source: 204.74.99.100, port 80, Saturday, September 25, 2021 19:11:08
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 19:08:48
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 19:00:24
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 18:43:43
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:40:48
[DoS Attack: RST Scan] from source: 52.113.194.133, port 80, Saturday, September 25, 2021 18:38:02
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 18:36:19
[DoS Attack: SYN/ACK Scan] from source: 2.16.75.200, port 443, Saturday, September 25, 2021 18:35:17
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:30:39
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:28:35
[DoS Attack: SYN/ACK Scan] from source: 192.124.249.107, port 443, Saturday, September 25, 2021 18:21:14
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 18:13:02
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 18:07:35
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 17:58:44
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 17:44:24
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 17:38:10
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 17:26:02
[DoS Attack: SYN/ACK Scan] from source: 95.217.83.105, port 25565, Saturday, September 25, 2021 17:20:48
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 17:07:14
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 16:40:03
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 16:39:38
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 16:39:31
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 16:39:20
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 16:36:36
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 16:29:50
[DoS Attack: ACK Scan] from source: 45.85.218.56, port 80, Saturday, September 25, 2021 16:20:26
[DoS Attack: ACK Scan] from source: 45.85.218.56, port 80, Saturday, September 25, 2021 16:20:20
[DoS Attack: ACK Scan] from source: 79.174.70.178, port 443, Saturday, September 25, 2021 16:12:32
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 16:09:27
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 15:24:34
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 14:57:55
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 14:04:37
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 13:44:11
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 13:11:19
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 12:48:06
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 12:11:35
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 11:54:58
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 10:54:20
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 10:54:03
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 10:40:16
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 10:32:38
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 10:28:51
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 09:46:08
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 09:13:35
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 09:08:57
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 08:56:27
[DoS Attack: UDP Port Scan] from source: 103.145.13.56, port 5261, Saturday, September 25, 2021 08:36:32
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 08:29:44
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Saturday, September 25, 2021 08:23:29
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 08:05:04
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 07:50:01
[DoS Attack: SYN/ACK Scan] from source: 104.21.192.109, port 80, Saturday, September 25, 2021 07:48:14
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 07:16:36
[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.77, port 54424, Saturday, September 25, 2021 07:05:27
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 06:59:32
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 06:52:48
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 06:42:45
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 06:37:06
[DoS Attack: RST Scan] from source: 204.79.197.222, port 80, Saturday, September 25, 2021 06:32:15
[DoS Attack: SYN/ACK Scan] from source: 204.79.197.222, port 80, Saturday, September 25, 2021 06:32:12
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 06:23:17
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Saturday, September 25, 2021 05:46:50
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 05:40:09
[DoS Attack: UDP Port Scan] from source: 111.40.50.89, port 17075, Saturday, September 25, 2021 05:24:32
[DoS Attack: UDP Port Scan] from source: 111.40.50.89, port 15957, Saturday, September 25, 2021 05:24:31
[DoS Attack: RST Scan] from source: 139.59.228.97, port 80, Saturday, September 25, 2021 05:14:42
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 04:57:56
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 04:33:30
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 04:05:57
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 03:30:20
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 03:23:12
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 02:40:43
[DoS Attack: SYN/ACK Scan] from source: 144.172.73.16, port 22, Saturday, September 25, 2021 01:39:05
[DoS Attack: SYN/ACK Scan] from source: 144.172.73.16, port 22, Saturday, September 25, 2021 01:36:07
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Saturday, September 25, 2021 01:31:12
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 01:24:03
[DoS Attack: SYN/ACK Scan] from source: 54.36.218.102, port 22, Saturday, September 25, 2021 01:21:43
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 01:21:37
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Saturday, September 25, 2021 01:17:34
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 01:13:03
[DoS Attack: SYN/ACK Scan] from source: 88.99.208.125, port 25565, Saturday, September 25, 2021 01:12:17
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Saturday, September 25, 2021 01:05:32
[DoS Attack: SYN/ACK Scan] from source: 134.255.220.82, port 30120, Saturday, September 25, 2021 00:41:11
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Saturday, September 25, 2021 00:34:05
[DoS Attack: SYN/ACK Scan] from source: 93.114.82.3, port 13901, Saturday, September 25, 2021 00:27:37
[DoS Attack: SYN/ACK Scan] from source: 185.19.216.119, port 8081, Saturday, September 25, 2021 00:26:52
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Saturday, September 25, 2021 00:24:40
[DoS Attack: SYN/ACK Scan] from source: 88.99.213.221, port 80, Saturday, September 25, 2021 00:16:35
[DoS Attack: ACK Scan] from source: 84.53.169.133, port 443, Saturday, September 25, 2021 00:11:21
[DoS Attack: RST Scan] from source: 23.148.145.7, port 44086, Friday, September 24, 2021 23:57:06
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 23:52:19
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 23:52:18
[DoS Attack: RST Scan] from source: 216.250.254.67, port 43676, Friday, September 24, 2021 23:48:08
[DoS Attack: RST Scan] from source: 23.148.145.233, port 47220, Friday, September 24, 2021 23:40:56
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 23:24:19
[DoS Attack: RST Scan] from source: 216.250.254.67, port 41821, Friday, September 24, 2021 23:19:58
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 23:10:58
[DoS Attack: TCP/UDP Echo] from source: 141.212.123.208, port 45054, Friday, September 24, 2021 23:04:17
[DoS Attack: ACK Scan] from source: 146.0.16.243, port 80, Friday, September 24, 2021 22:33:16
[DoS Attack: SYN/ACK Scan] from source: 88.99.213.221, port 80, Friday, September 24, 2021 22:26:02
[DoS Attack: ACK Scan] from source: 104.96.80.41, port 443, Friday, September 24, 2021 22:22:20
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 22:13:15
[DoS Attack: SYN/ACK Scan] from source: 88.99.213.221, port 80, Friday, September 24, 2021 22:04:41
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Friday, September 24, 2021 22:02:10
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 21:44:54
[DoS Attack: RST Scan] from source: 45.234.96.30, port 21674, Friday, September 24, 2021 20:35:06
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 20:26:29
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 20:04:23
[DoS Attack: SYN/ACK Scan] from source: 46.105.114.88, port 25565, Friday, September 24, 2021 19:48:20
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 19:46:03
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 19:20:10
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:59:23
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:50:45
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:50:13
[DoS Attack: ACK Scan] from source: 73.4.169.252, port 9000, Friday, September 24, 2021 18:44:58
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 18:42:36
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 18:38:06
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 18:23:07
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 18:12:08
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 17:54:05
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 17:41:24
[DoS Attack: ACK Scan] from source: 104.96.80.41, port 443, Friday, September 24, 2021 17:31:45
[DoS Attack: ACK Scan] from source: 104.96.80.41, port 443, Friday, September 24, 2021 17:31:05
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 17:18:46
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 17:02:44
[DoS Attack: SYN/ACK Scan] from source: 162.241.216.182, port 443, Friday, September 24, 2021 17:00:41
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 16:55:59
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 16:41:05
[DoS Attack: ACK Scan] from source: 73.4.169.252, port 9000, Friday, September 24, 2021 16:38:34
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 16:38:02
[DoS Attack: SYN/ACK Scan] from source: 178.254.210.57, port 80, Friday, September 24, 2021 16:36:34
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 16:26:07
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Friday, September 24, 2021 15:58:49
[DoS Attack: SYN/ACK Scan] from source: 172.217.194.153, port 443, Friday, September 24, 2021 15:54:37
[DoS Attack: TCP/UDP Chargen] from source: 176.126.175.215, port 58284, Friday, September 24, 2021 15:52:18
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 15:49:31
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 15:31:34
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 15:06:11
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Friday, September 24, 2021 15:04:20
[DoS Attack: SYN/ACK Scan] from source: 88.99.189.158, port 443, Friday, September 24, 2021 14:50:56
[DoS Attack: SYN/ACK Scan] from source: 167.233.9.51, port 80, Friday, September 24, 2021 14:48:54
[DoS Attack: RST Scan] from source: 34.120.67.236, port 443, Friday, September 24, 2021 14:45:21
[DoS Attack: SYN/ACK Scan] from source: 95.217.30.172, port 443, Friday, September 24, 2021 14:38:58
[DoS Attack: RST Scan] from source: 62.171.140.77, port 8000, Friday, September 24, 2021 14:37:36
[DoS Attack: ARP Attack] from source: 192.168.1.66, Friday, September 24, 2021 14:35:32
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:29
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:35:28
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:26
[DoS Attack: ARP Attack] from source: 192.168.1.66, Friday, September 24, 2021 14:35:25
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:24
[DoS Attack: ARP Attack] from source: 192.168.1.80, Friday, September 24, 2021 14:35:23
[DoS Attack: ARP Attack] from source: 192.168.1.71, Friday, September 24, 2021 14:35:22
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:19
[DoS Attack: ARP Attack] from source: 169.254.141.163, Friday, September 24, 2021 14:35:14
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:13
[DoS Attack: ARP Attack] from source: 192.168.1.80, Friday, September 24, 2021 14:35:12
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:11
[DoS Attack: ARP Attack] from source: 169.254.141.163, Friday, September 24, 2021 14:35:09
[DoS Attack: ARP Attack] from source: 192.168.1.80, Friday, September 24, 2021 14:35:08
[DoS Attack: ARP Attack] from source: 192.168.1.74, Friday, September 24, 2021 14:35:04
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:35:04
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:53
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:52
[DoS Attack: ARP Attack] from source: 192.168.1.200, Friday, September 24, 2021 14:34:51
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:49
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:44
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:43
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:32
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:31
[DoS Attack: ARP Attack] from source: 192.168.1.250, Friday, September 24, 2021 14:34:30
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:24
[DoS Attack: ARP Attack] from source: 192.168.1.3, Friday, September 24, 2021 14:34:23
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:22
[DoS Attack: ARP Attack] from source: 192.168.1.200, Friday, September 24, 2021 14:34:21
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:19
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:18
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:11
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:10
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:09
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:08
[DoS Attack: ARP Attack] from source: 192.168.1.121, Friday, September 24, 2021 14:34:04
[DoS Attack: ARP Attack] from source: 192.168.1.67, Friday, September 24, 2021 14:34:02
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:34:01
[DoS Attack: ARP Attack] from source: 192.168.1.67, Friday, September 24, 2021 14:34:00
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:33:59
[DoS Attack: ARP Attack] from source: 192.168.1.67, Friday, September 24, 2021 14:33:56
[DoS Attack: ARP Attack] from source: 192.168.1.64, Friday, September 24, 2021 14:33:54
[DoS Attack: ARP Attack] from source: 192.168.1.75, Friday, September 24, 2021 14:33:53
[DoS Attack: RST Scan] from source: 104.82.149.182, port 443, Friday, September 24, 2021 14:33:31

Worked great but left a stray ‘n’ on the first line of the output, i.e.

n
2.16.75.200
23.148.145.233

Just needed to remove the “-n” option from the “echo” command.

property stripText : " | cut -d' ' -f7 | tr -d ',' | egrep -v 'source'"
property logFileName : "Logged IPs.txt"

on open of theFiles -- Handles single or multiple dropped files
	set oldClipboard to the clipboard
	repeat with aFile in theFiles
		tell application "Finder" to set sourceFilePath to container of aFile as alias
		set cleanedText to do shell script "cat " & ¬
			quoted form of POSIX path of aFile & stripText
		do shell script "echo  " & quoted form of cleanedText & " >> " & ¬
			quoted form of POSIX path of sourceFilePath & quoted form of logFileName
	end repeat
	set AppleScript's text item delimiters to linefeed
	set theContentWords to words of ¬
		(read POSIX path of sourceFilePath & logFileName) as text
	set the clipboard to theContentWords
	do shell script "pbpaste | sort -n | uniq  > " & ¬
		quoted form of POSIX path of sourceFilePath & quoted form of logFileName
	set the clipboard to oldClipboard
end open

Ah ha that did indeed fix it. Many thanks!

I mentioned above that I’m learning regular expressions, so I had a look at Marc Anthony’s script for that reason. It correctly returns the IP addresses, but it appears to return every other number that contains 4 or more digits.

I rewrote the regular expression, and it seemed to work as desired. It was also the fastest of the working suggestions.

do shell script "echo " & my (read (choose file))'s quoted form & " | egrep -o '(\\d{1,3}\\.){3}\\d{1,3}' | sort -h | uniq >> " & ((path to desktop as text) & "IP.txt")'s POSIX path's quoted form

If you search for ‘regex ip address’ or stuff like that, you’ll find many pages that discuss this. While the regex used here works generally, it won’t exclude incorrect addresses (e.g. those with number sets > 255) but that doesn’t look like it would be an issue here and it is less complex than those that do incorporate that constraint.

I originally posted a correctly working regex, edited it to shorten the pattern, realized the error after supplemental testing, and changed it back shortly after. :slight_smile: You captured the code in flux.

That’s a little surprising, as TIDs tend to be very speedy, but… woohoo! Chalk one one up for shell scripting.

Guys the script(s) are working well.

I’m submitting the IP’s which are attacking and it is working well. However I’m told that some of them are duplicates of those already on the master list of IP’s. So would it be possible for the script to access another list of IPs and remove any that are already on that list?

Thanks in advance for any thoughts. Oh if it helps the preferred script I’m using is this one (as it avoids conflicts with Bitdefender):

use framework "Foundation"
use scripting additions

on open theDroppedItems
	set theFile to POSIX path of item 1 of theDroppedItems
	set theIPFile to getFileName(theFile)
	set theText to (current application's NSString's stringWithContentsOfFile:theFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
	set theIPData to getIPData(theText)
	(current application's NSString's stringWithString:theIPData)'s writeToFile:theIPFile atomically:true encoding:(current application's NSUTF8StringEncoding) |error|:(missing value)
end open

on getIPData(theText)
	set regExPattern to "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+"
	set theRegEx to current application's NSRegularExpression's regularExpressionWithPattern:regExPattern options:0 |error|:(missing value)
	set regExMatches to theRegEx's matchesInString:theText options:0 range:{location:0, |length|:theText's |length|()}
	
	set ipList to {}
	repeat with anItem in regExMatches
		set end of ipList to (theText's substringWithRange:(anItem's range())) as text
	end repeat
	
	set ipSet to current application's NSOrderedSet's orderedSetWithArray:ipList
	set ipSortedArray to ipSet's array()'s sortedArrayUsingSelector:"localizedStandardCompare:"
	
	return ((ipSortedArray's componentsJoinedByString:linefeed) as text)
end getIPData

on getFileName(theFile)
	set theFile to current application's NSString's stringWithString:theFile
	set fileBase to theFile's stringByDeletingPathExtension()
	set fileExtension to theFile's pathExtension()
	return ((fileBase's stringByAppendingString:"_IP_CLEANED")'s stringByAppendingPathExtension:fileExtension)
end getFileName

To do this, you’d better write the filtering results of each text not to some new file, but to the existing properties list (.plist) of your script (application). This will change the script itself a lot. There are enough users here who can help with this. I have no time now.

Other choice is: use one persistent text file for filtering results (that is, the name and location hard-coded). When dropping the unfiltered text file on your droplet, it should firstly read contents of persistent text file into the oldIPs list variable, then append only new non-duplicate IPs to oldIPs, then sort, then write the updated list back to the persistent text file. This will change the script itself a lot as well. I have no time now.

Understood. The second option would be preferred I guess as I do keep a copy of the master list in the same location.

Any help from anyone would be appreciated. :slight_smile:

I think, code in the post #14 is what you asked for just now

I think I misread what the second option was. The master (deny) IP list is not maintained by myself but a third party. That list is updated weekly (if not daily) with all the IPs that need to be blocked on a Synology (or similar) NAS.

What I’m now looking to do is to download the latest incarnation of that list and then process my IP list from my Orbi router, remove the duplicates and sort it (as we do now) and then open the third party deny list and remove any IP addresses which are already in the master deny list.

That way any IPs I submit are only those that are new and need including in the master list. This way the author of the master deny list does not have to check all my submissions manually where a great number may be duplicated. As an example last week I submitted 25 IPs for blocking and all 25 it turns out were already on the list.

dbrewood. I’ve modified my script to work as you want. The script prompts for the IP deny list, which seems a bit awkward, but the actual path can be placed in the script instead. The IP deny list has to be paragraph-separated text of IP addresses only. I tested the script and it worked without issue.

use framework "Foundation"
use scripting additions

on open theDroppedItems
	set theFile to POSIX path of item 1 of theDroppedItems
	set theExistingFile to POSIX path of (choose file)
	set theIPFile to getFileName(theFile)
	
	set theText to (current application's NSString's stringWithContentsOfFile:theFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
	set theExistingText to (current application's NSString's stringWithContentsOfFile:theExistingFile encoding:(current application's NSUTF8StringEncoding) |error|:(missing value))
	set theIPData to getIPData(theText, theExistingText)
	
	(current application's NSString's stringWithString:theIPData)'s writeToFile:theIPFile atomically:true encoding:(current application's NSUTF8StringEncoding) |error|:(missing value)
end open

on getIPData(theText, theExistingText)
	set regExPattern to "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+"
	set theRegEx to current application's NSRegularExpression's regularExpressionWithPattern:regExPattern options:0 |error|:(missing value)
	set regExMatches to theRegEx's matchesInString:theText options:0 range:{location:0, |length|:theText's |length|()}
	
	set ipSet to current application's NSMutableSet's new()
	repeat with anItem in regExMatches
		(ipSet's addObject:(theText's substringWithRange:(anItem's range())))
	end repeat
	
	set ipExistingArray to (theExistingText's componentsSeparatedByCharactersInSet:(current application's NSCharacterSet's newlineCharacterSet()))
	set ipExistingSet to current application's NSSet's setWithArray:ipExistingArray
	
	ipSet's minusSet:ipExistingSet
	set ipSortedArray to ipSet's allObjects()'s sortedArrayUsingSelector:"localizedStandardCompare:"
	return ((ipSortedArray's componentsJoinedByString:linefeed) as text)
end getIPData

on getFileName(theFile)
	set theFile to current application's NSString's stringWithString:theFile
	set fileBase to theFile's stringByDeletingPathExtension()
	set fileExtension to theFile's pathExtension()
	return ((fileBase's stringByAppendingString:"_IP_CLEANED")'s stringByAppendingPathExtension:fileExtension)
end getFileName

Wow! That is totally awesome and does indeed look to do what is needed. I’ll not know for sure until I run it with real data, but on test data I just threw together it looked to work perfectly!

If I do want to hard code the path for the third party deny list:

“/Users/dbrewood/OneDrive/NAS/Deny List/deny-ip-list.txt”

Where exactly would I make the changes? (Sorry I can’t work out which variable I’d need to set).

Thanks again to everyone involved in this.